On 8.3.2013 14:41, Simo Sorce wrote:
On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote:
Hi,
On 7.3.2013 21:15, Rob Crittenden wrote:
Based on a comment from Sumit in ticket
https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of
how one might do it: http://freeipa.org/page/V3/Kerberos_Flags
Can we have one multi-valued attribute which contains names of flags to
set instead of one attribute per flag? It might make adding new flags
easier.
if you are cramming everything in one attribute then we can keep using
krbExtraData, no ?
I'm not sure if that can be done from Python.
Can we use krbTicketFlags for this? Support for this attribute is
already in ipa-kdb and I have checked that setting it to the right value
results in tickets with OK_AS_DELEGATE set.
Would it make sense to add a global configuration option to turn flags
on or off for all services of a given type?
We might, but how do you check for the global value ?
An additional search for every KDC operation is simply not going to
happen.
Can we do that extra search only when the KDC is initialized and when
configuration is refreshed? I don't think the default values would
change too often, so this might be OK.
Simo.
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
